COMP 4580 Computer Security. Web Security II. Dr. Noman Mohammed. Winter 2019

Vergelijkbare documenten
Web Application Security Hacking Your Way In! Peter Schuler & Julien Rentrop

2019 SUNEXCHANGE USER GUIDE LAST UPDATED

Third party mededeling

General info on using shopping carts with Ingenico epayments

Activant Prophet 21. Prophet 21 Version 12.0 Upgrade Information

Settings for the C100BRS4 MAC Address Spoofing with cable Internet.

What is the advantage of using expression language instead of JSP scriptlets and JSP expressions?

Firewall van de Speedtouch 789wl volledig uitschakelen?

Third party mededeling

/ /

MyDHL+ Van Non-Corporate naar Corporate

MyDHL+ ProView activeren in MyDHL+

Hoe te verbinden met NDI Remote Office (NDIRO): Apple OS X How to connect to NDI Remote Office (NDIRO): Apple OS X

Hoe met Windows 8 te verbinden met NDI Remote Office (NDIRO) How to connect With Windows 8 to NDI Remote Office (NDIRO

ANGSTSTOORNISSEN EN HYPOCHONDRIE: DIAGNOSTIEK EN BEHANDELING (DUTCH EDITION) FROM BOHN STAFLEU VAN LOGHUM

open standaard hypertext markup language internetprotocol transmission control protocol internet relay chat office open xml

Handleiding Installatie ADS

Het beheren van mijn Tungsten Network Portal account NL 1 Manage my Tungsten Network Portal account EN 14

Handleiding Zuludesk Parent

Installatie instructies

AVG / GDPR -Algemene verordening gegevensbescherming -General data Protection Regulation

Data Handling Ron van Lammeren - Wageningen UR

Security Pentest. 18 Januari Uitgevoerde Test(s): 1. Blackbox Security Pentest 2. Greybox Security Pentest

Y.S. Lubbers en W. Witvoet

Introductie in flowcharts

Webapplication Security

LDAP Server on Yeastar MyPBX & tiptel 31xx/32xx series

z x 1 x 2 x 3 x 4 s 1 s 2 s 3 rij rij rij rij

RECEPTEERKUNDE: PRODUCTZORG EN BEREIDING VAN GENEESMIDDELEN (DUTCH EDITION) FROM BOHN STAFLEU VAN LOGHUM

eid Routeringsvoorziening OpenID Connect

Back to the Future. Marinus Kuivenhoven Sogeti

MyDHL+ Tarief berekenen

Deny nothing. Doubt everything.

BathySurvey. A Trimble Access hydrographic survey module

MyDHL+ Uw accountnummer(s) delen

SAMPLE 11 = + 11 = + + Exploring Combinations of Ten + + = = + + = + = = + = = 11. Step Up. Step Ahead

Plan van aanpak. 1 Inleiding. 2 Onderzoek. 3 Taken. Kwaliteitswaarborging van webapplicaties. Rachid Ben Moussa

[BP-ebMS-H-000] Welke versie van Hermes moet er gebruikt worden?

EM4594 Firmware update

Netwerkprinter Dell 1320C installeren op Ubuntu LTS - Lucid Lynx

Website review kamernet.nl

How to install and use dictionaries on the ICARUS Illumina HD (E652BK)

Add the standing fingers to get the tens and multiply the closed fingers to get the units.

Contents. Introduction Problem Definition The Application Co-operation operation and User friendliness Design Implementation

Cambridge Assessment International Education Cambridge International General Certificate of Secondary Education. Published

Gebruikershandleiding / User manual. Klappers bestellen in de webshop Ordering readers from the webshop

Agilent EEsof EDA. Waveform Bridge to FlexDCA and Infiniium. New Features for Solving HSD Challenges with ADS Heidi Barnes June 17/18/20, 2013

WEBSECURITY INFORMATICA STUDENTENWERKING. Gemaakt door Bryan De Houwer en Yuri Moens

Interaction Design for the Semantic Web

NCTS - INFORMATIE INZAKE NIEUWIGHEDEN VOOR 2010

Je website (nog beter) beveiligen met HTTP-Security Headers

Contents. An Augmented Backus-Naur Format, (ABNF), Parser Generator for Erlang. Anders Nygren ABNF Using abnfc Implementation Todo

CENTEXBEL CLIENT WEB

SEO Content. Creditcard aanvragen? Dé beste creditcards vergelijken.

CENTEXBEL CLIENTS WEB

ALGORITMIEK: answers exercise class 7

CTI SUITE TSP DETAILS

Four-card problem. Input

My Inspiration I got my inspiration from a lamp that I already had made 2 years ago. The lamp is the you can see on the right.

Engels op Niveau A2 Workshops Woordkennis 1

Intermax backup exclusion files

DBMS. DataBase Management System. Op dit moment gebruiken bijna alle DBMS'en het relationele model. Deze worden RDBMS'en genoemd.

Procedure Reset tv-toestellen:

Maillijsten voor medewerkers van de Universiteit van Amsterdam

Introduction to Compgenomics Part II. Lee Katz January 13, 2010

Dynamische Websites. Week 2

! GeoNetwork INSPIRE Atom!

Open Onderwijs API. De open standaard voor het delen van onderwijs data. 23 juni 2016 Frans Ward - SURFnet Architectuurraad - Utrecht

Hier volgt als hulp wat technische informatie voor de websitebouwer over de werking van de xml web service.

EM7680 Firmware Update by OTA

EM6250 Firmware update V030507

GS1 Data Source. Guide to the management of digital files for data suppliers and recipients

De grondbeginselen der Nederlandsche spelling / Regeling der spelling voor het woordenboek der Nederlandsche taal (Dutch Edition)

CBSOData Documentation

Registratie- en activeringsproces voor de Factuurstatus Service NL 1 Registration and activation process for the Invoice Status Service EN 10

Dynamische Websites. Week 10

Handleiding Meldportaal Ongebruikelijke Transacties - pg 2. Manual for uploading Unusual Transactions - Reporting Portal - pg 14

8+ 60 MIN Alleen te spelen in combinatie met het RIFUGIO basisspel. Only to be played in combination with the RIFUGIO basicgame.

PHP & MySQL. Studievaardigheden Frank Takes (ftakes@liacs.nl) LIACS, Universiteit Leiden

Preschool Kindergarten

Als u dit dan probeert te doen dan zal hij zeggen dat de versie van Silverlight al geïnstalleerd is.

Webapplicatie-generatie NIOC 2013

MVC BASICS 2. Kevin Picalausa


Yes/No (if not you pay an additional EUR 75 fee to be a member in 2020

Denit Backup instellen op een Linux server

ZorgMail Address Book SE Documentation

Het handboek van SSCd. Peter H. Grasch

FOD VOLKSGEZONDHEID, VEILIGHEID VAN DE VOEDSELKETEN EN LEEFMILIEU 25/2/2016. Biocide CLOSED CIRCUIT

Handleiding beheer lijst.hva.nl. See page 11 for Instruction in English

Registratie- en activeringsproces voor de Factuurstatus Service NL 1 Registration and activation process for the Invoice Status Service EN 11

Cookies beleid. Click here to opt-out of Google Analytics

Cameramanager LSU Installation Guide

FOR DUTCH STUDENTS! ENGLISH VERSION NEXT PAGE. Toets Inleiding Kansrekening 1 8 februari 2010

Solcon Online Backup. Aan de slag handleiding voor Linux

bla bla Guard Gebruikershandleiding

Vrijgeven van volledige gedetailleerde technische cookies

Reizen Accommodatie. Accommodatie - Vinden. Accommodatie - Boeking. Om de weg naar je accommodatie vragen

Reizen Accommodatie. Accommodatie - Vinden. Accommodatie - Boeking. Om de weg naar je accommodatie vragen

Transcriptie:

COMP 4580 Computer Security Web Security II Dr. Noman Mohammed Winter 2019 Including slides from: Dan Boneh, David Brumley, Ian Goldberg, Jonathan Katz, John Mitchell, Vitaly Shmatikov and many others.

Outline Cookies Web Application Security Command Injection SQL Injection 2

Cookies Used to store state on user s machine Browser POST HTTP Header: Set-cookie: NAME=VALUE ; Server domain = (who can read) ; expires = (when expires) ; secure = (only over SSL) Browser POST Cookie: NAME = VALUE Server HTTP is stateless protocol; cookies add state 3

What Are Cookies Used For? Authentication Use the cookie to prove that the client previously authenticated correctly Personalization Recognize the user from a previous visit Tracking Follow the user from site to site; learn his/her browsing behavior, preferences, and so on 4

Setting/Deleting Cookies by Server Browser if expires=null: this session only GET HTTP Header: Set-cookie: NAME=VALUE ; domain = (when to send) ; path = (when to send) Server secure = (only send over SSL); expires = (when expires) ; HttpOnly scope Delete cookie by setting expires to date in past Default scope is domain and path of setting URL 5

Scope Setting Rules Domain: any domain-suffix of URL-hostname, except TLD example: host = login.site.com allowed domains login.site.com.site.com disallowed domains user.site.com othersite.com.com login.site.com can set cookies for all of.site.com but not for another site or TLD path: can be set to anything 6

Example cookie 1 name = userid value = test domain = login.site.com path = / secure cookie 2 name = userid value = test123 domain =.site.com path = / secure distinct cookies Cookies are identified by (name,domain,path) Both cookies stored in browser s cookie jar; both are in scope of login.site.com 7

Reading Cookies on Server Browser GET //URL-domain/URL-path Cookie: NAME = VALUE Server Browser sends all cookies in URL scope: cookie-domain is domain-suffix of URL-domain, and cookie-path is prefix of URL-path, and [protocol=https if cookie is secure ] Goal: server only sees cookies in its scope 8

Examples both set by login.site.com cookie 1 name = userid value = u1 domain = login.site.com path = / secure cookie 2 name = userid value = u2 domain =.site.com path = / non-secure http://checkout.site.com/ http://login.site.com/ https://login.site.com/ cookie: userid=u2 cookie: userid=u2 cookie: userid=u1; userid=u2 (arbitrary order) 9

Client Side Read/Write Setting a cookie in Javascript: document.cookie = name=value; expires= ; Reading a cookie: alert(document.cookie) prints string containing all cookies available for document based on (domain, path) Deleting a cookie: document.cookie = name=; expires= Thu, 01-Jan-70 document.cookie often used to customize page in Javascript 10

httponly Cookies Browser GET HTTP Header: Set-cookie: NAME=VALUE ; httponly Server Cookie sent over HTTP(s), but not accessible to scripts cannot be read via document.cookie Helps prevent cookie theft via XSS but does not stop most other risks of XSS bugs 11

Viewing/Deleting Cookies in Browser 12

Cookies have no integrity!! User can change and delete cookie values!! Edit cookie file Modify Cookie header Silly example: shopping cart software Set-cookie: shopping-cart-total = 150 ($) User edits cookie file (cookie poisoning): Cookie: shopping-cart-total = 15 ($) Similar to problem with hidden fields <INPUT TYPE= hidden NAME=price VALUE= 150 > 13 13

Solution: Cryptographic Checksums Goal: data integrity Requires secret key k unknown to browser Generate tag: T F(k, value) Browser Set-Cookie: NAME= value T Server k Cookie: NAME = value T? Verify tag: T = F(k, value) value should also contain data to prevent cookie replay and 14 swap

Outline Cookies Web Application Security Command Injection SQL Injection 15

Reported Web Vulnerabilities Data from aggregator and validator of NVD-reported vulnerabilities 16

Three Top Web Site Vulnerabilities SQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL query CSRF Cross-site request forgery Bad web site sends browser request to good web site, using credentials of an innocent victim XSS Cross-site scripting Bad web site sends innocent victim a script that steals information from an honest web site 17

Outline Cookies Web Application Security Command Injection SQL Injection 18

Typical Web Application Design Runs on a Web server or application server Takes input from Web users (via Web server) Interacts with back-end databases and third parties Prepares and outputs results for users Dynamically generated HTML pages Content from many different sources, often including users themselves n Blogs, social networks, photo-sharing websites 19

Dynamic Web Application Browser GET / HTTP/1.0 HTTP/1.1 200 OK index.php Web server Database server 20

PHP: Hypertext Preprocessor Server scripting language with C-like syntax Can intermingle static HTML and code <input value=<?php echo $myvalue;?>> Can embed variables in double-quote strings $user = world ; echo Hello $user! ; or $user = world ; echo Hello. $user.! ; 21

Command Injection in PHP http://victim.com/copy.php?name=username copy.php includes Supplied by the user! User calls system( cp temp.dat $name.dat ) http://victim.com/copy.php?name= a; rm * copy.php executes system( cp temp.dat a; rm * ); 22

Injection Injection is a general problem: Typically, caused when data and code share the same channel For exmaple, the code is cp and the filename the data n But ; allows attacker to start a new command 23

Outline Cookies Web Application Security Command Injection SQL Injection 24

SQL Widely used database query language Fetch a attribute SELECT PersonID FROM Person WHERE Username= Alice Query syntax (mostly) independent of vendor 25

Database Queries with PHP Sample PHP $recipient = $_POST[ recipient ]; $sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executequery($sql); Problem What if recipient is malicious string that changes the meaning of the query? 26

SQL Injection: Basic Idea Attacker 1 post malicious form Victim server 3 receive data from DB 2 unintended query This is an input validation vulnerability Unsanitized user input in SQL query to back- end database changes the meaning of query Specific case of command injection Victim SQL DB 27

Exploits of a Mom Lets see how this attack works 28

SQL Injection Example 29

Normal Login Web Browser (Client) Enter Username & Password Web Server SELECT * FROM Users WHERE user='me' AND pwd='1234' DB 30

Bad Input Suppose user = ' or 1=1 -- (URL encoded) Then scripts does: SELECT WHERE user= ' ' or 1=1 -- The -- causes rest of line to be ignored Now the login succeeds The bad news: easy login to many sites this way 31

Even Worse 32

Even Worse Suppose user = ; DROP TABLE Users -- Then script does: SELECT WHERE user= ; DROP TABLE Users Deletes user table Similarly: attacker can add users, reset pwds, etc. 33

SQL Injection Example View pizza order history:<br> <form method="post" action="..."> Month <select> <option name="month" value="1"> Jan</option>... <option name="month" value="12"> Dec</option> </select> <p> <input type=submit name=submit value=view> </form> 34

SQL Injection Example Normal SQL Query SELECT pizza, toppings, quantity, order_day FROM orders WHERE userid=4123 AND order_month=10 Attack Malicious Query For order_month parameter, attacker could input <option name="month" 0 OR 1=1 value= 0 OR 1=1"> Dec</option> WHERE userid=4123 AND order_month=0 OR 1=1 WHERE condition is always true! Gives attacker access to other users private data! 35

SQL Injection Example All User Data Compromised 36

CardSystems Attack (June 2005) CardSystems was a major credit card processing company Put out of business by a SQL injection attack Credit card numbers stored unencrypted Data on 263,000 accounts stolen 43 million identities exposed 37

Attack on Microsoft IIS (April 2008) 38

Preventing SQL Injection Input validation Blacklisting n Apostrophes, semicolons, percent symbols, hyphens, underscores, n Any character that has special meanings Whitelisting n Blacklisting bad characters doesn t work n Forget to filter out some characters n Could prevent valid input (e.g., last name O Brien) n Allow well-defined set of safe values: [A-Za-z0-9]* [0-1][0-9] n Valid input set defined through reg. expressions 39

Preventing SQL Injection Escaping Quotes For valid string inputs use escape characters to prevent the quote becoming part of the query n Convert into \ Different databases have different rules for escaping 40

Recap SQL Injection Bad input checking allows malicious SQL query Known defenses address problem effectively 41

2024 © DocPlayer.nl Privacy Policy | Terms of Service | Feedback